The secuirty field has become a hot field. Like web scripters in the 90's everyone and their dog is getting into the field. The market has become a mess. Take a short example.
For some reason my CTO wanted to implement webmail. He went with exchange because M$ gave it to us for free. We called in a security expert /MCSE to give us the lowdown on the risks associated with implementing OWA. Goes like this
Security expert: Open these two billion (I exaggerate) ports and your webmail can sit on your DMZ.
Myself: No
Security expert: It will only work that way, I'll secure your DMZ for you
Myself: No
Security expert: OK big shot
Myself: Proxy pass through Unix open one port 443 on the firewall.
Security Expert: Refers to Unix box as magic box. Refers to solution as wizardry. Still claims that it should not work.
Security Expert still gets paid wanders off with head up ass.
I admit there are guys out there that are good, very good, but my experience with the majority has been lacking.
The consultant knew that "ease of use" sells better than security to a non-techie. Besides, he doesn't hang around to clean up the mess.
I loved it when I was told the most powerful person in the dept needed the ability to shut down her firewall in case she couldn't get to a website.